How long is a 302 redirect saved in browser?
Add the
Cache-Control: no-store
header to the response and it won't be cached. As of Jul 20, 2020 all mainstream browsers respect this.
Beware of intermediate caches though (proxy / CDN): If an intermediary has a nonzero minimum TTL, your response will be cached no matter what you do. See for example:
Managing How Long Content Stays in an Edge Cache (Expiration)
last line of the table (Origin adds Cache-Control: no-cache, no-store, and/or private directives to objects). In this case, the only way to prevent caching is to set the TTL to 0 (and add the Cache-Control: no-store header of course).
The standard referenced by Jon Lin here uses "SHOULD", which is not as strong as "MUST" in RFC lingo. This is not just a theoretical distiction; Cloudflare, for example, does cache redirects:
If no cache headers are provided (no Cache-Control or Expires) and the url is cacheable (.jpg, .css, .js etc.) then CloudFlare caches both 301 and 302s. We cache 301 for a couple of hours and 302s for a shorter period of time (~20 minutes).
So you should either make sure you can handle it or use explicit headers (e.g. Cache-Control: private, no-cache) to direct browsers and intermediates against caching it.
Using Steve Sounder's Redirect Caching Tests tool (thanks @LeonidVasilev), it seems that the results may not be what are expected. With no expires headers or cookies, the results were as follows:
Chrome 71: Not Cached ✔
Firefox 64: Cached ✕
Safari 12: Cached ✕
So despite what RFC 2616, section 10.3.3 302 Found states, not all browsers follow these guidelines or what might be considered expected behaviour :(
It shouldn't be cached at all unless there's also a Cache-Control or Expires header returned by the web server. According to RFC 2616, section 10.3.3 302 Found
The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.